[Bug 267884] kadmind can read beyond the end of an incoming message's buffer
Date: Sun, 20 Nov 2022 20:50:58 UTC
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=267884 Bug ID: 267884 Summary: kadmind can read beyond the end of an incoming message's buffer Product: Base System Version: CURRENT Hardware: Any OS: Any Status: New Severity: Affects Some People Priority: --- Component: bin Assignee: bugs@FreeBSD.org Reporter: rtm@lcs.mit.edu Attachment #238198 text/plain mime type: Created attachment 238198 --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=238198&action=edit send a non-null-terminated appl_version to kadmind kadmind's handle_v5() calls krb_recvauth_match_version(), which contains: n = krb5_net_read (context, p_fd, &len, 4); ...; len = ntohl(len); her_appl_version = malloc (len); if (krb5_net_read (context, p_fd, her_appl_version, len) != len || !(*match_appl_version)(match_data, her_appl_version)) { repl = 2; krb5_net_write (context, p_fd, &repl, 1); krb5_set_error_message(context, KRB5_SENDAUTH_BADAPPLVERS, N_("wrong sendauth version (%s)", ""), her_appl_version); The code does not check that the incoming message in her_appl_version is null terminated, which can cause trouble for match_appl_version()'s call to sscanf, and krb5_set_error_message's use of her_apply_version. This is with CURRENT source from today (Nov 20 2022). I've attached a demo. Since there's often a null somewhere soon after the end of the allocated buffer, the problem is only reliably visible with something like valgrind: # /usr/libexec/kadmind --version kadmind (Heimdal 1.5.2) Copyright 1995-2011 Kungliga Tekniska Högskolan Send bug-reports to heimdal-bugs@h5l.org # valgrind /usr/libexec/kadmind --debug & # cc kadmind3a.c # ./a.out ==67648== Memcheck, a memory error detector ==67648== Copyright (C) 2002-2022, and GNU GPL'd, by Julian Seward et al. ==67648== Using Valgrind-3.19.0 and LibVEX; rerun with -h for copyright info ==67648== Command: /usr/libexec/kadmind --debug ==67648== ==67648== Invalid read of size 1 ==67648== at 0x4852EE9: strlen (in /usr/local/libexec/valgrind/vgpreload_memcheck-amd64-freebsd.so) ==67648== by 0x4A596BC: vsscanf (in /lib/libc.so.7) ==67648== by 0x4A4C72C: sscanf (in /lib/libc.so.7) ==67648== by 0x112677: ??? (in /usr/libexec/kadmind) ==67648== by 0x4907BE6: krb5_recvauth_match_version (in /usr/lib/libkrb5.so.11) ==67648== by 0x1114CD: ??? (in /usr/libexec/kadmind) ==67648== by 0x112978: ??? (in /usr/libexec/kadmind) ==67648== by 0x10D16C: ??? (in /usr/libexec/kadmind) ==67648== by 0x4823007: ??? ==67648== Address 0x5b463b6 is 0 bytes after a block of size 150 alloc'd ==67648== at 0x484C8A4: malloc (in /usr/local/libexec/valgrind/vgpreload_memcheck-amd64-freebsd.so) ==67648== by 0x4907BA9: krb5_recvauth_match_version (in /usr/lib/libkrb5.so.11) ==67648== by 0x1114CD: ??? (in /usr/libexec/kadmind) ==67648== by 0x112978: ??? (in /usr/libexec/kadmind) ==67648== by 0x10D16C: ??? (in /usr/libexec/kadmind) ==67648== by 0x4823007: ??? -- You are receiving this mail because: You are the assignee for the bug.